[v2,4/4] Makefile: Add provision for embedding public key in platform's dtb

Message ID 20210412150526.29822-5-sughosh.ganu@linaro.org
State New
Headers show
Series
  • Add support for embedding public key in platform's dtb
Related show

Commit Message

Sughosh Ganu April 12, 2021, 3:05 p.m.
Add provision for embedding the public key used for capsule
authentication in the platform's dtb. This is done by invoking the
mkeficapsule utility which puts the public key in the efi signature
list(esl) format into the dtb.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

---

Changes since V1: None

 Makefile | 10 ++++++++++
 1 file changed, 10 insertions(+)

-- 
2.17.1

Comments

AKASHI Takahiro April 28, 2021, 5:39 a.m. | #1
On Mon, Apr 12, 2021 at 08:35:26PM +0530, Sughosh Ganu wrote:
> Add provision for embedding the public key used for capsule

> authentication in the platform's dtb. This is done by invoking the

> mkeficapsule utility which puts the public key in the efi signature

> list(esl) format into the dtb.

> 

> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

> ---

> 

> Changes since V1: None

> 

>  Makefile | 10 ++++++++++

>  1 file changed, 10 insertions(+)

> 

> diff --git a/Makefile b/Makefile

> index b72d8d20c0..ebd4a6477c 100644

> --- a/Makefile

> +++ b/Makefile

> @@ -1011,6 +1011,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; }

>  quiet_cmd_lzma = LZMA    $@

>  cmd_lzma = lzma -c -z -k -9 $< > $@

>  

> +quiet_cmd_mkeficapsule = MKEFICAPSULE     $@

> +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \

> +	-D $@


Instead, we can do

$ dtc -@ -I dts -O dtb -o pubkey.dtbo pubkey.dts
$ fdtoverlay -i test.dtb -o test_pubkey.dtb -v pubkey.dtbo

-Takahiro Akashi


> +

>  cfg: u-boot.cfg

>  

>  quiet_cmd_cfgcheck = CFGCHK  $2

> @@ -1161,8 +1165,14 @@ endif

>  PHONY += dtbs

>  dtbs: dts/dt.dtb

>  	@:

> +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy)

> +dts/dt.dtb: u-boot tools

> +	$(Q)$(MAKE) $(build)=dts dtbs

> +	$(call cmd,mkeficapsule)

> +else

>  dts/dt.dtb: u-boot

>  	$(Q)$(MAKE) $(build)=dts dtbs

> +endif

>  

>  quiet_cmd_copy = COPY    $@

>        cmd_copy = cp $< $@

> -- 

> 2.17.1

>

Patch

diff --git a/Makefile b/Makefile
index b72d8d20c0..ebd4a6477c 100644
--- a/Makefile
+++ b/Makefile
@@ -1011,6 +1011,10 @@  cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; }
 quiet_cmd_lzma = LZMA    $@
 cmd_lzma = lzma -c -z -k -9 $< > $@
 
+quiet_cmd_mkeficapsule = MKEFICAPSULE     $@
+cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \
+	-D $@
+
 cfg: u-boot.cfg
 
 quiet_cmd_cfgcheck = CFGCHK  $2
@@ -1161,8 +1165,14 @@  endif
 PHONY += dtbs
 dtbs: dts/dt.dtb
 	@:
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy)
+dts/dt.dtb: u-boot tools
+	$(Q)$(MAKE) $(build)=dts dtbs
+	$(call cmd,mkeficapsule)
+else
 dts/dt.dtb: u-boot
 	$(Q)$(MAKE) $(build)=dts dtbs
+endif
 
 quiet_cmd_copy = COPY    $@
       cmd_copy = cp $< $@